NetScaler Gateway - Marius Sandbu
NetScaler GatewayMARIUS SANDBU 1
Revision:Version 1.03 (07.04/2016)About the author:Marius Sandbu works as a Cloud Architect for Exclusive Networks in Norway, wherehe focuses on software-defined datacenter, end-user computing and cloudtechnologies. He is a Microsoft Azure MVP, Veeam Vanguard and Vmware vExpertand the author of, Implementing NetScaler VPX and Mastering NetScaler VPX.He can be contacted on twitter @msandbu or on his email msandbu@bigtec.comMarius’s blogs at http://msandbu.wordpress.comInformation about this eBookThis short eBook is to cover the most the different configuration options that arepossible with NetScaler Gateway and also dig into Unified Gateway which is part ofNetScaler version 11. This is intended for consultants or work with NetScalerGateway and want to use this as a reference guide for troubleshooting or checkingconfiguration.The book is split into different sections, for instance there are separate section forICA-proxy setup and another for Clientless Access and Full VPN. Some sections arealso just grouped together because of my inability to group properly.This book is not by any means a full guide to NetScaler Gateway, but I amdependent on feedback to make it even better. If you have any feedback, pleasesend it toSpecial thanks to my reviewers! Daniel WedelCarl StalhoodCarl BehrentDave BrettAny feedback can be directed to my email msandbu@gmail.comNote: that the information presented in this eBook is based on NetScaler version11.0, XenDesktop 7.8 and Storefront 3.5, unless stated otherwise.2
ContentNetScaler Gateway basics . 6Licensing and editions . 8When to use what? .11NetScaler and traffic flow . 12General settings for NetScaler . 14External authentication for administrators . 14Setting up ICA-proxy . 16ICA-proxy traffic Flow . 16Virtual Server setup . 18Certificates . 20Authentication. 22SSL Settings . 25Profiles. 26TCP Profiles . 27Published Applications . 32Policies . 32Citrix Receiver policy . 33Citrix Receiver for Web Policy . 34Storefront . 35Summary ICA-proxy . 38ICA Proxy with two armed . 38Double-hop configuration . 41Framehawk and Audio over DTLS. 43RDP Proxy . 45GSLB and Zone feature. 50GSLB Basics . 50Authoritative DNS . 52Zone based GSLB deployment . 53VPN and Endpoint analysis . 53Full VPN with endpoint scanning . 54Preauthentication policy . 54Session policy . 603
Split tunneling. 61Client IP pools. 62Clientless Access . 62Adding resources . 65Binding the features together . 67Unified Gateway . 68Smart Access – Access Policy . 73Smart Control – ICA Policies . 75Group Based Access . 77High availability . 79Cross-subnet High-availability . 83Failsafe mode . 83VMAC . 84Upgrading . 86Portal customization . 88Binding an EULA to the Portal. 90Security settings . 90Authentication and Authorization. 99SAML Authentication . 99Allow password change from NetScaler Gateway . 104Allow password change from Storefront . 106Multifactor authentication .107Authorization. 112Troubleshooting. 115Endpoint Access . 115Name resolution not working . 115ICA-proxy . 116Cannot complete your request . 116Your logon has expired . 117Unknown Client error 1110. 117Cannot Start Desktop “COMPUTERNAME”. 118Error: Login exceeds maximum allowed users . 118Http/1.1 Internal Server Error 43531. 1194
403 - Forbidden: Access is denied . 119Authentication. 119Other design examples . 121Multitenant ICA-Proxy . 121Monitoring . 125Insight Center . 125Command Center .127Goliath IT analytics for NetScaler . 128System Center Operations Manager . 1305
NetScaler Gateway basicsNetScaler Gateway is a feature, which delivers remote access for end users. It can either bein form of remote access using Citrix Receiver, where we have the NetScaler gateway toproxy connections to backend XenDesktop servers. It can also be in form of clientlessaccess meaning that we can use a regular web browser to get access to for instanceinternal web resources or even files. We can also use it for full VPN access meaning thatour endpoint becomes part of an internal network and allows access to communicatedirectly with internal resources over a secure VPN tunnel.NOTE: NetScaler Gateway is one of the more common used features within CitrixNetScaler. Either it can be used as a feature on the NetScaler VPX/MPX or we can buy theNetScaler Gateway VPX/MPX, which only licensed to do NetScaler Gateway.So for instance if we are using Citrix Receiver for remote access, it will connect directly tothe Gateway virtual server which will then establish a connection with the backendXenDesktop farm. If we use the full VPN client, either we can be using the NetScaler as asource IP to browse internal resources, or we can be given an IP from a DHCP scope. Wecan also use the clientless access, which gives us SSL VPN over a regular Internet Browserand allows us to browse internal web resources and file servers.In NetScaler 11, Citrix introduced something called Unified Gateway, which allowed us toaggregate load balanced web services, cloud services and internal Citrix applications in aunified app portal.Unified Gateway leverages two additional features, content switching and AAA. The AAAmodule is used to deliver SSO against different resource such as internal load balancedresource and to cloud applications like Salesforce or Office365. Therefore, it is importantto remember that Unified Gateway is not a feature available in NetScaler GatewayMPX/VPX6
There will be more about Unified Gateway later in the eBook.NetScaler Gateway is essentially a virtual server, which listens to requests on port 443 bydefault, and depending on the configuration can act as an ICA Proxy only virtual server oras multiple purpose remote access solution. When a user tries to connect to the virtualserver, they will be asked to authenticate against the authentication policy which triggered,after successful authentication, the user will be processed against different policies andwhich case might allow them to setup an ICA proxy session with a backend XenDesktopserver or full VPN access.All of the ICA proxy and most of the VPN setup and configuration is mostly done usingSession policies, where we define the address of Storefront and how the client shouldbehave. Here we can also specify some of the particular VPN settings as well, some of theVPN settings are also done at the virtual server level, for instance if a virtual server shouldonly be configured as an ICA proxy server or if it can be used for more of the advancedfeatures like SSL VPN and or full VPN. We also have traffic policies, which are using todefine for instance SSO properties to backend resources, enforce network traffic rules anddisabling certain features as such. Therefore, this is pretty much the essence in howNetScaler Gateway looks like and behaves.7
Licensing and editionsNetScaler Gateway can be used as a feature on a regular NetScaler appliance (runningeither Standard, Enterprise or Datacenter edition) or it can be used as a separateappliance either NetScaler Gateway MPX which is a physical appliance or NetScalerGateway VPX which is a virtual appliance. The difference between the NetScaler Gatewayappliance and the regular NetScaler is that the Gateway appliance ONLY has the Gatewayfeature.Now we have two different licenses for use with NetScaler gateway, first thing we need isthe platform license to be able to use the NetScaler platform and activate the gatewayfeature and the other is called Universal licenses, which enables additional features.Important thing to remember is that the universal license in optional depending if we needthe features, the platform license is mandatory.The regular NetScaler appliance physical or virtual platform is licensed using hostID, andthe Gateway feature is included as a sub feature. The hostID of the appliance can beretrieved from the CLI using the show hardware command, which then needs to beentered using the Citrix licensing portal. If we use a NetScaler Gateway appliance, it needsto be licensed using hostname, which can be configured and retrieved form the CLI, usingthe command set and show hostname.Both these options will give us a platform license. Now if we just use the platform license,we get the following features: 8ICA ProxyNetScaler (High-availability)Central administration using Command CenterUnlimited virtual servers
Note that there is no user limit with the platform license, meaning that if we allocate aplatform license to a NetScaler it is bound to the appliance. Which also means that wehave no licensing user limit to the ICA proxy solution, it is only based upon the amount ofusers the NetScaler can handle.Universal licenseBy default, all NetScaler appliances (NetScaler Gateway/NetScaler Standard/NetScalerEnterprise) comes with five Universal licenses. NetScaler platinum comes with 100 Universallicenses. If they want more users, they need to buy additional Universal licenses, whichcomes at a concurrent user license.A Universal license is required if we want to use a NetScaler Gateway with the followingfeatures SSL VPNFull VPN AccessMicroVPN for XenMobileCloudbridge integrationEndpoint analysisSmartAccessSecure Access to ShareFile / XenMobileUniversal licenses are also licensed using hostname when defining this in the Citrixlicensing portal. Licenses can be simply added using the GUI by going into themanagement portal, System Licenses Manage licenses Add New LicenseAfter a license has been added we can see which features we have access to (dependingon the platform license) and the Maximum amount of NetScaler Gateway Users Allowed,which specifies the amount of concurrent universal licenses we have.How a NetScaler chooses from the different license is defined at the virtual server level. Avirtual server can be either in Basic mode or Smart Access mode. If a virtual server is inbasic mode, it uses the platform licenses and we are given access to the ICA proxy feature.In version 11 this is defined as ICA only mode which can be enabled/disabled under thevirtual server configuration9
NetScaler Gateway Virtual Servers Edit Basic SettingsIf we have this enabled, we will not be able to use features, which depend on Universallicenses like, SSL VPN or Full VPN features. If we remove this checkbox, it will be enabledas a Smart Access virtual server and will start using universal licenses when a userconnects.Another important thing to consider when setting up NetScaler Gateway is the amount ofsupported users per appliance.For Gateway deployments on a virtual appliance, meaning the NetScaler Gateway VPX orthe NetScaler VPX Citrix supports up to 1500 concurrent VPN or ICA users, while on thephysical appliances Citrix supports from 5000 to 35,000 concurrent users on VPN or ICA.Now the supported amount of users on virtual or physical appliances all depend on thenetwork, license, bandwidth usage and so on.Important to remember that this restriction is based upon access to SSL chips, which aregular VPX does not have. It is also important to remember that the limit of 1500 is basedupon the resources available on the underlying hypervisor and packet engine CPUs10
NOTE: You can read more about packet engines and SSL performance on the VPX here http://bit.ly/24RDmv1When to use what?Just to use some examples on when to use what in a Gateway scenario and what kind oflicense we need.1: Just need Citrix Receiver remote access for our end-users, we are about 500 users.A NetScaler Gateway VPX would suffice or a Gateway MPX if the customer wants physicalhardware instead of placing the load on the virtualization platform. Important toremember that the restrictions on the VPX in terms of SSL performance.2: Need remote access for our users, but will be a mix of Citrix Access and VPN for 5000users.We can setup two virtual servers, where one is in smart access mode enabled for VPN,which then will use Universal licenses. We also setup another virtual server, which is usedfor ICA-proxy, will be setup in basic mode, and will not require any universal licenses. Thisway we can save money if there is only a few of our users which are going to use VPN. Onthe other hand, this will give us two different IP addresses and FQDN, which users have toremember. If all our users are going to be using VPN, then the best practice is to setupone virtual server in smart access mode but then it is important that we need to havesufficient universal licenses for all our users.3: Have an existing NetScaler used for load balancing, need to setup a remote access forCitrixIn this case, we already have a NetScaler license in place, just need to create a virtualserver in ICA-only mode and define our policies.4: We have an existing NetScaler Gateway VPX used for ICA-only but want to use UnifiedGateway to access SaaS based applicationsFirst of we need to upgrade our license to a NetScaler Enterprise since Unified Gatewayuses the AAA module which is only part of Enterprise, then we need to recreate a VirtualServer which is using Unified Gateway. Unified Gateway also uses Universal Licenses sotherefore we need to buy licenses that are more concurrent as well.Below is an example decision tree, which shows when to choose what based upon therequirements. Note that not all examples are included in this tree but will give you someindication.11
NetScaler and traffic flowIn order to properly configure a NetScaler, it is important to understand the traffic flow itoperates in. By default, IP-addresses are not bound to any particular interface, if there is arequest for some content from a IP-address that is owned by the NetScaler it will respondon that interface where the request comes from.NetScaler operates at Layer 3 and operates with many different IP-addresses. There are 3primary addresses NSIPVIPSNIPNSIP is used for management, authentication traffic, some monitoring traffic, DNS andSyslog. We can have only one NSIP and if we need to change this IP-address we need torestart the applianceVIP is a packet processing IP, it represents a virtual service like a load balanced service or aNetScaler Gateway. It only handles incoming traffic and applies logic and forwards it to abackend IP. There is only one VIP per virtual server, but we can have as many of these aswe want.SNIP is a packet generating IP, it is typically setup in order for the NetScaler tocommunicate with backend resource on layer 2. For instance, if we want to load-balancetwo IIS web servers located on 10.10.10.10/24 network we would typically have an SNIPlocated on the 10.10.10.10/24 network which is uses for communication between the12
NetScaler and the web-servers. SNIP can also be used to traverse different subnets as longas there is a route present. Remember also when we create a SNIP on a NetScaler it willautomatically create a DIRECT ROUTE to that particular layer 2 network in its routingtables.So just to give an example of how traffic will flow in a NetScaler setup.We have a virtual server (Load balanced server) which is represented by the IP 10.10.10.10.It has defined a load balancing method, persistency and attached a number of servers in aservice group which as a monitor attached to it, to make sure that the backend servers areup and running. The monitor is being processed by the SNIP 192.168.1.110 to communicatewith the backend servers on the different subnets.1.2.3.4.5.6.7.Traffic hits the 10.10.10.10 IP from endpoint 1.1.1.1VIP processes the packet with the logic is has attached forwards it internallyLocates the closest SNIP to the backend resources on 192.168.1.0/24SNIP initiates a connection to the backend server where the source IP will the SNIP.Backend server responds back to the SNIPSNIP forwards the packet back based upon the internal session tableVIP responds back to the endpoint on 1.1.1.1 with the content.Now there are some things that are important to remember, a VIP is only a packetprocessing IP there it cannot on itself send data back on the VIP. In this case we need to13
have a SNIP present on the same subnet to get the packet generating capabilities on thatsubnet.Note that the SNIP on the public facing interface will never be the source of the packetsgoing back, but it is just needed to be able to process packets on the way back. Now as Ialso mentioned that a SNIP can be on the same subnet which the backend resourceresides or in another subnet as long as it has a route present. In some case you wouldneed to deploy a SNIP in a DMZ and setup static routes to the different subnet so thetraffic would be processes by the company firewall as well. We will cover some differentnetwork designs when we come into the deployment of the gateways.General settings for NetScalerBefore we go ahead and start configuring NetScaler Gateway, there are some basicsettings we should get in place to ensure that is going to work properly. Add DNS servers (This can be done under Traffic Management Name Servers Click Add and enter an IP-address of the server. If we go back to the NameServers menu after adding a DNS server, it shows as up. This uses simple ICMP tocheck if the DNS is up or not and all traffic going to the DNS server is sourced fromthe NSIP)NOTE: We can setup a load balanced DNS server on the NetScaler, this will then in turnset the source IP from SNIP closest to the DNS server Change the time zone and setup NTP sync (Time zone can be changed underSystem Settings Change time zone and click OK (Do not restart right away)then go into NTP servers Click Add, enter FQDN name of the server and clickOK. After adding a server mark the server, select Action and choose Configure NTPSynchronization and mark it is enabledExternal authentication for administratorsSetting up External Authentication allows administrator to authenticate to NetScaler usingfor instance their Active Directory users. In order to set this up go into the GUI System Authentication LDAP Servers and then click Add.14
From there define an Active Directory serverThen we need to define an active directory base DN where our administrator users arelocated which will be the scope when doing LDAP bind. We also need to define an ActiveDirectory service account which is being used to query AD.And finally we need to define a logon name attribute and group attributes so we can getinformation about the different groups and which ones are allowed access and not.After we are done adding the information click Create. Now go back to the GUI System Authentication LDAP and then click on Policies and click Add.Name the new policy, specify the LDAP server we just created and use the expression“ns true”15
Then click Create. Now go back to GUI System Authentication LDAP Policies Global Bindings, from there click Add bindings. Then choose the policy we just createdand make just use the default priority. The policy should appear like soSetting up ICA-proxyThis Section will focus on all of the aspects of setting up Citrix Remote Access using ICAProxy. This feature does not require any additional licenses besides the platform license forNetScaler Gateway or using it for instance as a sub feature of NetScaler. This section doesa step-by-step approach and focuses on setting it up and configuring some of the otherpieces such as TCP profiles to ensure optimal traffic flow. It also does a bit more in-depthon TCP profiles to allow in-depth knowledge about the TCP protocol and traffic flow.Now before we go into the configuring part we should understand how the traffic flow ofICA-proxy is going to work after everything is properly configured from an end clientperspective.NOTE: This scenario was created against a XenDesktop 7.8 environment, using NetScalerversion 11.64 and Storefront 3.5. Also important to note that this only requires a standardplatform license, no additional licenses required.ICA-proxy traffic FlowThis is a simple chart showing how traffic is going to originate from the endclient andeventually to running a full ICA session. 16A user
NOTE: NetScaler Gateway is one of the more common used features within Citrix NetScaler. Either it can be used as a feature on the NetScaler VPX/MPX or we can buy the NetScaler Gateway VPX/MPX, which only licensed to do NetScaler Gateway. So for instance if we are using Citrix Receiver for remote access, it will connect directly to
Automation mit NetScaler - AutoScale Cloud Orchestration Internet 1. NetScaler is auto-provisioned M M M 56783. NetScaler monitoring engine auto4. NetScaler triggers 2. NetScaler monitors servers for CPU, Memory, Latency, Throughput . On successful AutoScale, . NetScaler automatic
Figure 1. Device choices - dedicated NetScaler MPX HA pair for Tenant 1, NetScaler MPX cluster for Tenant 2 and NetScaler SDX serving Tenants 3-N Instances The second NetScaler multi-tenancy building block is the instance. With instances, administrators can con (gure a single physical appliance to operate as multiple independent NetScaler ADCs.
NetScaler VPX In this exercise, you will access the NetScaler MAS management console and integrate the NetScaler NS_VPX_01 for management and reporting with NetScaler MAS. The initial NetScaler MAS configuration settings will be reviewed and additional post-setup configuration changes will be applied.
RÉSUMÉ – MARIUS MARCEL PAGNOL (1929) Marius est une pièce de théâtre de Marcel Pagnol, qui a été jouée pour la première fois en 1929. Le récit se déroule à l’époque où il a été écrit, à Marseille. Marius est le premier texte de la trilogie Marius, Fanny, César. LES PERSONNAGES PRINCIPAUX
10.5 to use with StoreFront 2.6 and XenDesktop 7.6. Introduction The purpose of this document is to record the steps required to configure a NetScaler Gateway for use with StoreFront and XenDesktop. Particular attention has been paid to the use of on-board NetScaler tools for creating a server certificate for the NetScaler Gateway.
Introduction NetScaler AppFirewall technology is included in and integrated with Citrix NetScaler MPX and VPX, Platinum Edition, and is available as an optional module that can be added to NetScaler MPX . Securing Outlook Web Access (OWA) 2013 with NetScaler AppFirewall 7 Configu
Overview NetScaler in Microsoft Azure The NetScaler VPX virtual appliance is available as an image in the Microsoft Azure Marketplace. NetScaler VPX on Microsoft Azure Resource Manager (ARM) enables customers to leverage Azure cloud computing capabilities and use NetScaler load balancing
Araling Panlipunan Ikalawang Markahan - Modyul 5: Interaksiyon ng Demand at Supply Z est for P rogress Z eal of P artnership 9 Name of Learner: _ Grade & Section: _ Name of School: _ Alamin Ang pinakatiyak na layunin ng modyul na ito ay matutuhan mo bilang mag-aaral ang mahahalagang ideya o konsepto tungkol sa interaksiyon ng demand at supply. Mula sa mga inihandang gawain at .
